Artificial Intelligence (AI)? You’ve Just Lost Two Buyers

I am absolutely sick to death of security vendors using the buzz-phrase Artificial Intelligence (AI) as a descriptor for their product or service.


  1. AI does not even exist yet, the most you can say is that it’s very clever programming;
  2. Not everyone is a fan of AI.

So, by trying to claim your product uses AI, you have now alienated 2 types of people; 1) those who hate bullsh*t artists, and 2) the paranoid.

In cybersecurity, there are a lot of both.

And it’s all so unnecessary! The HOW of what your product does is nowhere near as important as the WHAT, and if you can’t describe how that fixes my immediate, organisation specific problem(s), I’m no longer listening.

Since there is no way you have an AI engine doing the work, what do you have? As long as your explanation is simple, makes sense, and I can apply that directly to my needs, I’m happy for you to continue your pitch. However, if you focus on the buzz/hype and not the functional you will have lost me again.

For example, if I was in the market for a data discovery tool, just telling me you use Machine Learning (ML) to detect unstructured personal data will get you no further than that sentence. But telling me you have an engine fed by both linguistics / syntax experts and the ongoing resolution of false positives specific to my environment, you will have my attention.

I actually have no issue with ML, until you claim it’s something more than what it is; clever programming. It might even be genius level programming, but it’s still based on some form of input that will never be replaced entirely. It will NEVER work everything out for itself.

Machine learning is “the scientific study of algorithms and statistical models that computer systems use in order to perform a specific task effectively without using explicit instructions, relying on patterns and inference instead.”

These things do not get smarter, they get more accurate, don’t claim otherwise.

And the part that everyone seems to forget?; You cannot have ANY type of learning, machine or otherwise, if you don’t set appropriate baselines. Baselines set by the business, not the vendors, and predicated on:

  1. what’s most important to the business;
  2. the business’s risk appetite;
  3. the relevant contents of the organisation’s Policies and Standards;
  4. the organisation’s current threat profile / exposure; and
  5. the [functional] security requirements gap as determined by the latest risk assessment / business impact analysis cycle.

As a buyer of security technology you shouldn’t even be talking to vendors until you’ve worked this out. And to be clear, how you do these things has been written down for generations and are part of EVERY good practice framework out there.

It seems the entire ecosystem of security product vendors is now driven by demand generation, not needs fulfilment. And the only reason that this is a multi-billion £/$/€ market is that most organisations are too damned lazy to work out what their needs are.

So before you suffer through another interminable product pitch, do two things:

  1. At a minimum, 1., 2., 4. and 5. of the bullets above (3. can be worked on over time); and
  2. print this blog and have the vendor read it first.

Now watch them mad-scramble trying to explain away the bullsh*t in their presentation.

[If you liked this article, please share! Want more like it, subscribe!]

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.